Life-saving pacemakers could be hacked with malware

Who would have thought that a pacemaker could end up killing you? Well, at the Black Hat information security conference in Las Vegas, researchers have demonstrated that it’s possible to hack a pacemaker, and potentially manipulate it to kill the wearer.

In a live session, Jonathon Butts of QED Secure Solutions and Billy Kim Rios of Whitescope.io showed the world just how easy it is to interfere with implanted medical devices by remotely switching off an insulin pump, before taking control of a pacemaker by hacking the program doctors use to monitor a patient’s device.

After asking anyone with internet-connected medical devices to leave the room, they were then able to deliver what would be life-threatening electric shocks, as well as withholding the crucial regular shocks altogether, which could have fatal consequences for the user.

A new security issue

They were able to do this because the manufacturer of this particular pacemaker, Medtronic, delivers updates to its devices using an unencrypted network which can be hacked into using a VPN. The company has so far refused to fix these security failings, despite pressure from Butts and Rios, who said they first notified Medtronic of the issues “570 days ago”.

The hacking of implanted medical devices has been a concern for a few years, and internet connected devices are becoming more commonplace, issues with network security are a new consideration for manufacturers.

The internet of (medical) things

Internet-connected medical devices are becoming increasingly commonplace, with estimates that the marketplace will reach over $136 billion by 2021. Integrated in everything from insulin pumps to portable blood-testing kits, they make it possible for doctors to receive real-time diagnostic data from patients without having to see them in person.